> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
>
> What do I do to prevent users sending via port25?
>

If not, go ahead and add it to submission now so things don't break
unexpectedly later.

This won't prevent users from sending local mail to port 25, but
they won't be able to authenticate and won't be able to relay. This
usually isn't considered a problem, and changing it often causes
other issues.

-- Noel Jones

John Allen

... I based it something that Noel Jones wrote way back in 2008. Create a file of the networks you wish to deny access to eg. ôDeny_Mynetworks_Accessö the

Message 2 of 13
, Aug 26, 2013

0 Attachment

On 26/08/2013 9:00 PM, Noel Jones wrote:

> On 8/26/2013 7:49 PM, LuKreme wrote:
>> OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings.
>>
>> What do I do to prevent users sending via port25?
>>
>
>
> Super easy...
>
> # main.cf
> smtpd_sasl_auth_enable = no
>
> Your master.cf submission entry probably already includes
> -o smtpd_sasl_auth_enable=yes
>
> If not, go ahead and add it to submission now so things don't break
> unexpectedly later.
>
> This won't prevent users from sending local mail to port 25, but
> they won't be able to authenticate and won't be able to relay. This
> usually isn't considered a problem, and changing it often causes
> other issues.
>
>
> -- Noel Jones
>

I based it something that Noel Jones wrote way back in 2008.

Create a file of the networks you wish to deny access to eg.
“Deny_Mynetworks_Access” the content of which will be the same networks
as those found in the mynetworks parameter of the main.cf file for example:

192.168.0.0/16 REJECT local access not permitted
n.n.n.n/28 REJECT local access not permitted
[nnnn:nnnn:nnnn::]/64 REJECT local access not permitted

remove the permit_mynetworks from all the various
smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
adding
-o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
to the smtp service, and add
-o smtpd_client_restrictions=permit_mynetworks,.....
to the submission service.

This should deny access to the smtp port (25) from the local networks
while allowing access to the submission port (587).

LuKreme

... Oh, right, of course. (I also needed to remove my fixed IP at home from my networks, which is why I was still able to send out via my machine). -- NOBODY

> remove the permit_mynetworks from all the various smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by adding
> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
> to the smtp service, and add
> -o smtpd_client_restrictions=permit_mynetworks,.....
> to the submission service.
>
> This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587).

That seem like a bit much. I allow the web-server (which hosts the webmail) in mynetworks, since users mailing from there are already authenticated. I can see there are situations where it would be a good idea.

--
"If I were willing to change my morals for convenience or financial
gain, we wouldn't be arguing, because I'd already *be* a Republican."
-- Wil Shipley

Stan Hoeppner

... I doubt that Noel suggested anything like this. ... This unnecessary and complex and actually won t work as stated. All that is required is a one line

Message 5 of 13
, Aug 27, 2013

0 Attachment

On 8/26/2013 10:24 PM, John Allen wrote:

> I based it something that Noel Jones wrote way back in 2008.

I doubt that Noel suggested anything like this.

> Create a file of the networks you wish to deny access to eg.
> “Deny_Mynetworks_Access” the content of which will be the same networks
> as those found in the mynetworks parameter of the main.cf file for example:
>
> 192.168.0.0/16 REJECT local access not permitted
> n.n.n.n/28 REJECT local access not permitted
> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
>
> remove the permit_mynetworks from all the various
> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
> adding
> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
> to the smtp service, and add
> -o smtpd_client_restrictions=permit_mynetworks,.....
> to the submission service.

This unnecessary and complex and actually won't work as stated. All
that is required is a one line change to master.cf and a CIDR file:

... web mail users should perform proper smtp authentication, just like they would if they used any other client software. among numerous benefits, it allows

Message 6 of 13
, Aug 27, 2013

0 Attachment

On 2013.08.27 00.32, LuKreme wrote:

> That seem like a bit much. I allow the web-server (which hosts the
> webmail) in mynetworks, since users mailing from there are already
> authenticated. I can see there are situations where it would be a
> good idea.

web mail users should perform proper smtp authentication, just like they
would if they used any other client software. among numerous benefits,
it allows for easier auditing.

-ben

John Allen

... Much simpler and far much more elegant.

Message 7 of 13
, Aug 27, 2013

0 Attachment

> On 8/26/2013 10:24 PM, John Allen wrote:
>
>> I based it something that Noel Jones wrote way back in 2008.
> I doubt that Noel suggested anything like this.
>
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same networks
>> as those found in the mynetworks parameter of the main.cf file for example:
>>
>> 192.168.0.0/16 REJECT local access not permitted
>> n.n.n.n/28 REJECT local access not permitted
>> [nnnn:nnnn:nnnn::]/64 REJECT local access not permitted
>>
>> remove the permit_mynetworks from all the various
>> smtpd_xxxx_restrictions stanzas of main.cf. Then modify the master.cf by
>> adding
>> -o smtpd_client_restrictions=hash:Deny_Mynetworks_Access,.....
>> to the smtp service, and add
>> -o smtpd_client_restrictions=permit_mynetworks,.....
>> to the submission service.
> This unnecessary and complex and actually won't work as stated. All
> that is required is a one line change to master.cf and a CIDR file:
>
> /etc/postfix/master.cf
> ...
> smtp inet n - - - 20 smtpd
> -o smtpd_client_restrictions=check_client_access,\
> cidr:/etc/postfix/deny-local.cidr
>
> /etc/postfix/deny-local.cidr
> 192.168.0.0/16 REJECT local access not permitted
>
>
> Aug 27 01:28:21 greer postfix/smtpd[31670]: NOQUEUE: reject: RCPT from
> gffx.hardwarefreak.com[192.168.100.53]: 554 5.7.1
> <gffx.hardwarefreak.com[192.168.100.53]>: Client host rejected: local
> access not permitted; from=<stan@...> to=<xxxx@...>
> proto=ESMTP helo=<[192.168.100.53]>
>

Much simpler and far much more elegant.

Noel Jones

... 2008 was a long time ago, possibly I ve learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not

Message 8 of 13
, Aug 27, 2013

0 Attachment

On 8/27/2013 11:36 AM, John Allen wrote:

>> On 8/26/2013 10:24 PM, John Allen wrote:
>>
>>> I based it something that Noel Jones wrote way back in 2008.
>> I doubt that Noel suggested anything like this.

2008 was a long time ago, possibly I've learned a thing or two since
then. Regardless, I think this was in response to a very specific
requirement not particularly related to the current issue.

Apparently whatever I told him worked, glad to be of help.

-- Noel Jones

Jeroen Geilman

... This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after

Message 9 of 13
, Aug 27, 2013

0 Attachment

On 08/27/2013 05:24 AM, John Allen wrote:

>
>
> On 26/08/2013 9:00 PM, Noel Jones wrote:
>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>> OK, now that port 587 is working, I would like to disable user
>>> submission via port 25. Not right now, but in a bit once people have
>>> a chance to change their settings.
>>>
>>> What do I do to prevent users sending via port25?
>>>
>>
>>
>> Super easy...
>>
>> # main.cf
>> smtpd_sasl_auth_enable = no
>>
>> Your master.cf submission entry probably already includes
>> -o smtpd_sasl_auth_enable=yes
>>
>> If not, go ahead and add it to submission now so things don't break
>> unexpectedly later.
>>
>> This won't prevent users from sending local mail to port 25, but
>> they won't be able to authenticate and won't be able to relay. This
>> usually isn't considered a problem, and changing it often causes
>> other issues.
>>
>>
>> -- Noel Jones
>>
> I based it something that Noel Jones wrote way back in 2008.
>
> Create a file of the networks you wish to deny access to eg.
> “Deny_Mynetworks_Access” the content of which will be the same
> networks as those found in the mynetworks parameter of the main.cf
> file for example:

This is entirely unnecessary, since moving reject_unauth_destination in
front of permit_mynetworks takes care of that.
Everything after reject_unauth_destination is impervious to relay
attempts, because it explicitly blocks all such attempts.
Yes, relay_domains would be an exception to this - but think why domains
are in relay_domains to begin with.

>
> This should deny access to the smtp port (25) from the local networks
> while allowing access to the submission port (587).

So what you're saying is basically "to deny access from the networks in
mynetworks, do this complicated thing" ?

A simpler way to do that would be to not put these networks in mynetworks.

--
J.

LuKreme

... Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks. I was hesitant on taking the web

> A simpler way to do that would be to not put these networks in mynetworks.

Right. I have nothing in mynetworks but the two servers that sit next to each other. No one on the LAN is in mynetworks.

I was hesitant on taking the web server out, but I probably will since it turns out that both RoundCube and Squirrelmail were super easy to setup to use the submission port properly. I have to go through and make sure none of the websites have mail scripts that can't handle STARTTLS/587.

... If I remember correctly the question was how do I stop local users using port 25, while allowing them to access port 587. I felt that the restriction

Message 11 of 13
, Aug 27, 2013

0 Attachment

On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

> On 08/27/2013 05:24 AM, John Allen wrote:
>>
>>
>> On 26/08/2013 9:00 PM, Noel Jones wrote:
>>> On 8/26/2013 7:49 PM, LuKreme wrote:
>>>> OK, now that port 587 is working, I would like to disable user
>>>> submission via port 25. Not right now, but in a bit once people
>>>> have a chance to change their settings.
>>>>
>>>> What do I do to prevent users sending via port25?
>>>>
>>>
>>>
>>> Super easy...
>>>
>>> # main.cf
>>> smtpd_sasl_auth_enable = no
>>>
>>> Your master.cf submission entry probably already includes
>>> -o smtpd_sasl_auth_enable=yes
>>>
>>> If not, go ahead and add it to submission now so things don't break
>>> unexpectedly later.
>>>
>>> This won't prevent users from sending local mail to port 25, but
>>> they won't be able to authenticate and won't be able to relay. This
>>> usually isn't considered a problem, and changing it often causes
>>> other issues.
>>>
>>>
>>> -- Noel Jones
>>>
>> I based it something that Noel Jones wrote way back in 2008.
>>
>> Create a file of the networks you wish to deny access to eg.
>> “Deny_Mynetworks_Access” the content of which will be the same
>> networks as those found in the mynetworks parameter of the main.cf
>> file for example:
>
> This is entirely unnecessary, since moving reject_unauth_destination
> in front of permit_mynetworks takes care of that.
> Everything after reject_unauth_destination is impervious to relay
> attempts, because it explicitly blocks all such attempts.
> Yes, relay_domains would be an exception to this - but think why
> domains are in relay_domains to begin with.
>
>>
>> This should deny access to the smtp port (25) from the local networks
>> while allowing access to the submission port (587).
>
> So what you're saying is basically "to deny access from the networks
> in mynetworks, do this complicated thing" ?
>
> A simpler way to do that would be to not put these networks in
> mynetworks.
>

If I remember correctly the question was how do I stop local users using
port 25, while allowing them to access port 587. I felt that the
restriction should be applied to SMTP and not to SUBMISSION.
I agree that my solution is not very good and I think that Stan
Hoeppner's response is a much more elegant solution than mine.

Stan Hoeppner

... To be clear, I wasn t offering a solution to the OP s requirement, but simply cleaning up and optimizing your approach into something that would actually

Message 12 of 13
, Aug 28, 2013

0 Attachment

On 8/27/2013 6:34 PM, John Allen wrote:

> On 27/08/2013 6:09 PM, Jeroen Geilman wrote:

>> A simpler way to do that would be to not put these networks in
>> mynetworks.
>>
> If I remember correctly the question was how do I stop local users using
> port 25, while allowing them to access port 587. I felt that the
> restriction should be applied to SMTP and not to SUBMISSION.
> I agree that my solution is not very good and I think that Stan
> Hoeppner's response is a much more elegant solution than mine.

To be clear, I wasn't offering a solution to the OP's requirement, but
simply cleaning up and optimizing your approach into something that
would actually work.

Jeroen offered the solution.

--
Stan

Your message has been successfully submitted and would be delivered to recipients shortly.